1

Cyber Security: User Access PitfallsDec. 10th, 2015

2 House Keeping Items

CPE credit:1) Must answer polling Qs2) Click on Green button (you’re present)3) Complete Feedback form

3

3Compliance Made Simple ™

Today’s PresentersSonia Luna, CEO, Aviva Spectrum

Mrs. Luna CPA, CIA with over 16 Years in public and internal audit professional. Appointed to Smaller & Emerging Companies Advisory Comm. By the SEC. Karla Sasser, Senior Associate, Aviva Spectrum

Mrs. Sasser has over 20 years of finance, accounting and audit experience. Mrs. Sasser is an active CPA, CIA & CITP and has a Master’s in Information Technology. Author of fast selling book “Friggin Bean Counters” sold on Amazon & Barnes and Noble.

4 Agenda

1. Insider Threats vs. External Threats2. State of Affairs: Internal and External Threats3. Case Study Internal Threats4. Cost of a BREACH!5. User Access Rights (Best Practices)6. Sony Breach Lessons Learned7. Cloud Applications (what are “targets”?)8. Home Depot & Target Breach (Lessons Learned)9. Final Q&A

5

POLLING QUESTION?WHERE ARE MOST OF THESE THREATS COMING FROM?

A. INTERNAL (EMPLOYEES, VENDOR ACCESS/SUB-CONTRACTORS)?

B.EXTERNAL THREATS (UNKNOWN HACKER)?

6Disgruntled employees, insiders pose big hacking risk

Some 29% of the survey takers said they were most concerned about the lack of visibility into applications and networks, while 28% said their top concern was insider threats. Both of those concerns relate to how a disgruntled employee, or an insider aligned with criminals, could disrupt a company's network, or steal valuable intellectual property. By contrast, just 14% said financially-motivated hackers worried them most, while 6% cited political hacktivists.

7 Annual reports on – insider threats89% - More at risk from insider threats

8Reuter’s Case StudyEx-Employee & Passwords

9 Editor – 2 months w/access AFTER TERMINATION

Matthew Keys

10 IT Community Comments

11 Polling Question:

What’s your network access password change policy?

A.Expires 1 yearB.Expires every 180 daysC.NEVER EXPIRES (I’m an admin!)

12 Notable IT and Cybersecurity standard setters1. International Organization for Standardization (ISO) 2. International Information Systems Security

Certifications Consortium (ISC2)3. PCI Security Standards Council, LLC (PCI-DSS)4. Committee of Sponsoring Organizations of the

Treadway Commission (COSO)5. ISACA (COBIT)

13 Polling Question?

Which IT Guidance/Frameworks are you predominantly working with now?A. COSO and/or COBITB. ISO and/or ISC2

C. PCI and/or ISOD. Most of the above

14 The Cost of a Data Breach

15 Principle of Least Privilege Access

Defined as the practice of limiting access to the minimal level that will allow normal functioning and is applied to both human and system user access Originated by the US Department of Defense in the 1970’s to

limit potential damage of any accidental or malicious security breach

It is the underlying principle and the predominate strategy used to assure confidentiality within a network

Role-based access, was developed to group users with common access needs, simplifying security

16 Users with Elevated Access

By default systems will process commands based on the level of access the user who initiated the command has.

System and domain administrators pose unique problems within a software application.

Group Description Default user rights

Administrators

Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, add users with caution.

Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.

17 Polling Question

How much does SOX 404 compliance resolve your IT user access concerns?A. A lot, we sleep well at nightB. Some but not enoughC. Very littleD. We haven’t started on user access reviews

18 Number of Cloud Apps a Company is Using

Survey results released by Netskope, July 2014 revealed that On average 508 apps are in use within each enterprise with the top

categories being marketing, human resources, collaboration, storage and finance / accounting

88% of these apps have areas of concern from a security perspective 85% of data is uploaded to apps that enable file sharing 81% of data download occurred in apps with no data at rest encryption 77% of total apps reside and are processed in multi-tenant environments

19 Top Cloud Apps Identified by Netskope

20

As was widely reported, the hackers apparently gained access to Sony’s computer systems by obtaining the login credentials of a high-level systems administrator.  Once the credentials were in the hands of the hackers, they were granted “keys to the entire building,” according to a U.S. official.

They hacked into one server that was not well protected, and escalated the attack to gain access to the rest of the network.

Sony’s network was not layered well enough to prevent breaches occurring in one part from affecting other parts. In addition, the password “password” was used in 3 certificates.

A combination of weak passwords, lack of server layering, not responding to alerts or setting up alerts, inadequate logging and monitoring, and lack of Security Education Training and Awareness all contributed to the Sony Breach.

21 Problems with Passwords People, process and technology are all needed to adequately secure a

system When left on their own, people will make the worst security decisions Without any security training, people can be easily tricked into giving up

their passwords Passwords can be insecure

People will choose easily remembered and easily guessed passwords Passwords can be easily broken

Free programs are available on the Internet that can “crack” the password Passwords are inconvenient

Computer generated passwords can be difficult to remember are written down Passwords do not have any authority

Use of a password does not confirm the identity of the user entering the password

22 In 2014, Cox was hacked by "EvilJordie," a member of the "Lizard Squad" hacker collective.

The FCC's investigation found that by posing as a Cox IT staffer, the hacker convinced a Cox customer service representative to enter their account IDs and passwords into a fake website.

Under the terms of the settlement, Cox will pay the fine, identify all victims of the breach, notify them and give them a year of credit monitoring. The agreement also requires Cox to conduct internal system audits, internal threat monitoring, penetration testing and other security measures to prevent further hacks

23 Passwords - Cloud Apps and Remote Contractors Cloud apps and remote contractors represent a significant risk to the

overall security of the company’s information assets because: Cloud apps can be implemented and remote contractors can be engaged

without any knowledge from IT Most companies do not have one central point of authority for cloud apps and

remote contractors There is a general lack of understanding of the scope of work for cloud apps

and remote contractors so elevated access is generally granted without any consideration of the risks

User access cannot be validated against active directory or there are exceptions to the company’s password policy granted

One user account is shared among multiple users

24

25 Single Sign-On and Password Emerging Trends Single sign-on is an authentication process that allows users to enter

one user name and password to access multiple applications they have been given rights to.

Two-factor authentication requires additional factors to establish a users identity such as, a password and a pin number, a password and a fingerprint, retina scan and a fingerprint, etc.

Establishing complex user names, such as K$@ssEr Establishing meaningful, easy to remember complex passwords

t3chRock$ or $omething2about!

26

26Compliance Made Simple ™

Community & Sharing

User Access Rights Webinar

Join Our LinkedIn GroupCOSO Framework Discussion &

Webinars

https://www.linkedin.com/groups/COSO-Implementation-4888186/about

Technical Community sharing Ideas ,Templates, WEBINARS, Advise and Learn from others implementing new framework.

Share your latest templates here!

27

27Compliance Made Simple ™

Community & Sharing

User Access Rights Webinar

LinkedIn Group: Friggin’ Bean Counters

https://www.linkedin.com/groups/6985169

28 Chat TIME?

Does your organization have a PROVEN SYSTEM in monitoring it’s user access policies?

29 System Best practices

Monthly

QuarterlyAnnual

Weekly

UserAccess

Controls

30Compliance Made Simple ™

User Access Procedure Diagnostic

Email us for 5 SPOTS ONLY: Info@avivaspectrum.com

SUBJECT: USER ACCESS

Internal Threat

AnalysisBenchmar

kIn-take

31

31Compliance Made Simple ™

Aviva Spectrum is HIRING

1. SOX 404 – Senior Internal Auditors2. IT auditors3. SEC Reporting Managers4. Cyber security consultants

Email:

Careers@avivaspectrum.com

User Access Rights Webinar

Questions?32

33

33Compliance Made Simple ™

Speaker Contacts

Sonia Luna, CEO, Aviva Spectrum CONNECT: www.linkedin.com/in/sonialuna EMAIL: Sonia.luna@avivaspectrum.com PHONE: (424) 625-0241

Karla Sasser, Senior Associate, Aviva Spectrum CONNECT: www.linkedin.com/in/karlasasser EMAIL: Karla.Sasser@avivaspectrum.com PHONE: (818)384-8846